1. Field of the Invention
The present invention relates to a system and method for managing global risk, and more particularly relates to a globally accessible system for evaluating variables related to risk associated with a given project or enterprise.
2. Related Prior Art
In any given enterprise it is often desirable to evaluate the risk associated with particular activities. Risk can be determined in a number of different ways, for instance based on possible positive and negative outcomes, and can be assigned various levels of importance for a given project.
For example, an enterprise may wish to evaluate its exposure with regard to regulatory compliance. Various individuals within the enterprise having responsibility related to regulatory compliance generally prefer to have a working knowledge of the procedures in place to produce compliance, and the status of various efforts to ensure compliance with regulatory requirements. Whenever a new task is undertaken in a given area related to regulatory compliance, the person or persons initiating the project for completing the task may be required to assess the risk involved with implementing a solution. The persons knowledgeable about the task and goals may be required to answer questions on a questionnaire or otherwise fill out a form to evaluate the risk associated with the particular task with respect to associated regulatory requirements and for reporting purposes. The task may be evaluated for risk associated with liability to the enterprise if a customer makes a claim related to regulatory sections with which the enterprise has not complied, for example. The individuals may be asked to rate various levels of risk from low to high, and provide other indicia related to ranking of risk factors.
Another aspect of risk management relates to procedures established by the enterprise, with accompanying directives by management to comply with the procedures. A given manager responsible for a particular department may wish to establish the level of risk associated with activities in the department, and may formulate some system for evaluating and reporting risks, that can be used by lower level managers, and project managers, for instance. For example, on a periodic basis, such as quarterly, the managers for a given department might be required to communicate to upper management the various risk factors and risk evaluations that are related to computer information systems operations. Such risk factors can include security, backup procedures and data retaining procedures, for example. The risk factor related information can be provided through various forms or questionnaires for evaluating risk and risk factors associated with projects for which they are responsible. These forms and questionnaires can be compiled into reports and other summary data to provide a department manager with a fairly good idea of the level of compliance with various enterprise procedures.
Typically, if a group within the department is not in compliance with the established procedures for the enterprise, this information can be so noted in the summary or compiled data presented to the department manager. In such a case, the department manager can establish plans to bring the group into compliance, and monitor the status of the group in progressing with the plan.
The impact of evaluating the risk for a given enterprise can have serious consequences with regard to the success, or profitability of the enterprise. For example, if an enterprise is found not to be in compliance with regulatory requirements, the enterprise may be susceptible to penalties such as large fines, lawsuits, or potentially intense scrutiny by regulatory agencies. In addition, if the enterprise has established procedures that are designed to protect the enterprise from liability, or otherwise assure that levels of risk within the enterprise are minimized, the enterprise can be exposed to tremendous liability if the procedures are not properly followed. Also, the enterprise may suffer further liability if it is unable to ascertain, or provide proof of compliance with established procedures, in the context of a lawsuit, for example. Moreover, the enterprise may suffer the loss of a competitive advantage if sensitive data is compromised, for example.
Accordingly, large enterprises that may be vulnerable to a number of different types of risk typically attempt to ascertain the level of exposure to given risks at various levels within the enterprise, and minimize the exposure to risk that the enterprise may potentially suffer. In addition, the enterprise may establish a reporting system in which the degree of compliance with established procedures or regulatory requirements is readily accessible. Finally, the enterprise may wish to establish a plan to bring various groups or departments into compliance with procedures or regulatory requirements, and track the progress of the plan as the group or department moves towards compliance.
In typical enterprises, these types of reports and statuses regarding compliance with procedures or regulatory requirements to avoid risk are often somewhat haphazard, and inconsistent. For example, some managers may find the requirement of filling out forms and answering questionnaires to be an inefficient use of time, and fail to effectively complete risk assessments. Furthermore, in a department where the manager fails to take note of the potential problems caused by failing to evaluate the risk associated with the department's activities, it is often the case that other members of the department will similarly fail to complete assessments associated with risk of activities within the department.
It is also the case that the tools of these risk assessment type systems are form intensive, and inconsistent between various enterprise locations, for example. It is also often difficult to track and maintain the data that can be obtained from forms related to assessment of risk. For example, forms containing information related to risk assessment must be gathered, and the information must be compiled, in order to be useful as a risk assessment tool. The transfer of paper documents within a large scale enterprise is often a difficult task, and can lead to issues involving document storage space.
Solutions to overcome the difficulties associated with paper based reporting systems for use with risk assessment often include the application of computer systems that are designed to permit a number of individuals responsible for risk assessment to enter data online. Once the data related to risk assessment is in electronic format, tasks such as data compilation, reporting and assessment can be accomplished with greatly reduced overhead and savings with regard to use of valuable resources. However, systems in which individuals enter information online related to risk assessment suffer from some of the same drawbacks as the paper based systems. For example, separate departments and locations within a given enterprise may develop their own online tools for inputting information related to risk assessment. Accordingly, it is difficult to consolidate information across departments or enterprise locations. This drawback in obtaining consistency across departments is highly noticeable when various groups, departments or locations within an enterprise continue to use a paper based risk assessment system, while other groups, departments or locations use a variety of online type systems. Consolidating information related to risk assessment in such an environment can require a tremendous amount of resources, and yet still achieve inconsistent results.
Additionally, if a group or department is not in compliance with a given protocol, devising a plan to bring the entity into compliance with a particular protocol can be problematic. Managing the progress status of any plan to achieve compliance can be troublesome and fraught with some of the same difficulties as accumulating risk assessment information in the first place. For example, the progress of the plan may be reported inconsistently, or suffer from the perception of being a low priority task. It is also difficult for department managers to obtain feedback regarding compliance with protocols, for example, in a timely manner. For example, if a given department must be in regulatory compliance within a specific date, it may be very difficult for the department manager to evaluate whether the department is on schedule for meeting the regulatory requirements.
Accordingly, a system for assessing risk on a widespread and consistent basis, that can also provide reporting, planning for compliance, assignment of responsibility and accountability and tracking of compliance plans is highly desirable. Such a system, and method for accomplishing the system, is provided by the system and method according to the present invention.